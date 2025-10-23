Client certificate
The Client Certificate device posture attribute checks if the device has a valid client certificate signed by a trusted certificate. The trusted certificate is uploaded to Cloudflare and specified as part of the posture check rule. The client certificate posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.
Feature availability
|WARP modes
|Zero Trust plans ↗
|All modes
|All plans
|System
|Availability
|Minimum WARP version1
|Windows
|✅
|2024.6.415.0
|macOS
|✅
|2024.6.416.0
|Linux
|✅
|2024.6.497.0
|iOS
|❌
|Android
|❌
|ChromeOS
|❌
1 Client certificate checks that ran on an earlier WARP version will continue to work. To configure a new certificate check, update WARP to the versions listed above.
-
A CA that issues client certificates for your devices. WARP does not evaluate the certificate trust chain; this needs to be the issuing certificate.
-
Cloudflare WARP client is deployed on the device.
-
A client certificate is installed and trusted on the device.
-
Use the Upload mTLS certificate endpoint to upload the certificate and private key to Cloudflare. The certificate must be a signing certificate, formatted as a single string with
\nreplacing the line breaks. The private key is only required if you are using this custom certificate for Gateway HTTPS inspection.
At least one of the following token permissions is required:
Required API token permissions
Account: SSL and Certificates Write
The response will return a UUID for the certificate. For example:
-
In Zero Trust ↗, go to Settings > WARP Client.
-
Scroll down to WARP client checks and select Add new.
-
Select Client certificate.
-
You will be prompted for the following information:
-
Name: Enter a unique name for this device posture check.
-
Operating system: Select your operating system.
-
OS locations: Specify the location(s) where the client certificate is installed.
Windows
- Local machine trust store
- User trust store
macOS
- System keychain
Linux
- NSSDB (
/etc/pki/nssdb) - To search a custom location, enter the absolute file path(s) to the certificate and private key (for example
/usr/local/mycompany/certs/client.pemand
/usr/local/mycompany/certs/client_key.pem). The certificate and private key must be in
PEMformat. They can either be in two different files or the same file.
-
Certificate ID: Enter the UUID of the signing certificate.
-
Common name: (Optional) To check for a Common Name (CN) on the client certificate, enter a string with optional
${serial_number}and
${hostname}variables (for example,
${serial_number}_mycompany). WARP will search for an exact, case-insensitive match. If you do not specify a common name, WARP will ignore the common name field on the certificate.
-
Check for Extended Key Usage: (Optional) Check whether the client certificate has one or more attributes set. Supported values are Client authentication (
1.3.6.1.5.5.7.3.2) and/or Email (
1.3.6.1.5.5.7.3.4).
-
Check for private key: (Recommended) When enabled, WARP checks that the device has a private key associated with the client certificate.
-
Subject Alternative Name: (Optional) To check for a Subject Alternative Name (SAN) on the client certificate, enter a string with optional
${serial_number}and
${hostname}variables (for example,
${serial_number}_mycompany). WARP will search for an exact, case-insensitive match. You can add multiple SANs to the posture check — a certificate only needs to match one SAN for the check to pass.
-
-
Select Save.
Next, go to Logs > Posture and verify that the client certificate check is returning the expected results.
You can use the following commands to check if a client certificate is properly installed and trusted on the device.
- Open a PowerShell window.
- To search the local machine trust store for a certificate with a specific common name, run the following command:
- To search the user trust store for a certificate with a specific common name, run the following command:
- Open Terminal.
- To search System Keychain for a certificate with a specific common name, run the following command:
- Open Terminal.
- To list all client certificates in NSSDB, run the following command:
- Open your desired certificate using its certificate nickname. The common name will appear in the line
Subject: "CN=123456.mycompany".
For the posture check to pass, a certificate must appear in the output that validates against the uploaded signing certificate.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-